[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC Security Gateways & NAT
----- Original Message -----
From: "Derek Atkins" <warlord@mit.edu>
> > HASH_I = pfr(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b)
>
> Um, I don't see anything here that necessarily depends upon the IP
> Address of either Initiator or Responder. Perhaps I am being dense,
> but could you please point out the specific term to which you refer?
> Keep in mind that the ID term is **NOT** necessarily tied to the IP
> Address, as you can use many types of ID (such as FQDN) that are
> "movable".
>
Isn't there a problem in using pre-shared keys for authentication in
the main mode? The responder uses the IP address to look up the
pre-shared key. Because of NAT, it may not be able to look up the
correct pre-shared key?! If you use aggressive mode, you can overcome
this problem, but the authors of ESPinUSP proposal use the main
mode in their example.
regards,
Jayant
Follow-Ups:
References: